OM-5.5.15

Entire section

Link

Print

Location:

Conventional bank licensees must implement a written cyber security policy setting forth its policies for the protection of its electronic systems and client data stored on those systems, which must be reviewed and approved by the licensee’s board of directors or senior management, as appropriate, at least annually. The cyber security policy areas including but not limited to the following must be addressed:

(a) Definition of the key cyber security activities within the licensee, the roles, responsibilities, delegated powers and accountability for these activities;

(b) A statement of the licensee’s overall cyber risk tolerance as aligned with the licensee’s business strategy. The cyber risk tolerance statement should be developed through consideration of the various impacts of cyber threats including customer impact, service downtime, potential negative media publicity, potential regulatory penalties, financial loss, and others;

(c) Definition of main cyber security processes and measures and the approach to control and assessment;

(d) Policies and procedures (including process flow diagrams) for all relevant cyber security functions and controls including the following:

(a) Asset management (Hardware and software);

(b) Incident management (Detection and response);

(c) Vulnerability management;

(d) Configuration management;

(e) Access management;

(f) Third party management;

(g) Secure application development;

(h) Secure change management;

(i) Cyber training and awareness;

(j) Cyber resilience (business continuity and disaster planning); and

(k) Secure network architecture.

Added: July 2021